Policy Alerts

Non-Substantive change to the University Data Protection Standards

In the Responsibility for Data table of the University Data Protection Standards, under the Roles: Department Managers and Chairs (e.g. direct reports to VPs and Deans; Directors) section of the HSD column we added links for some of the regulations already present (e.g., HIPAA) and additional references for several regulations and links (e.g., Controlled Unclassified Information (CUI), Covered Defense Information (CDI) as well as a link to the guidance and assistance webpage provided by the office of the Vice-President for Research. 

Questions and concerns should be directed to [email protected]

Substantivie change:  On October 22, 2020, the University of Virginia's Vice-President for Research office emailed and published on their website information about prohibitions on procurement and use of certain software and services.  Of particular note for information security,  federal regulations (enacted in the 2018 NDAA, Sec. 1634)  prohibit the use or purchase of any software or services from Kaspersky Labs, or any entity of which Kaspersky Lab has a majority ownership. This includes its antivirus, internet security, password management, endpoint security, and other cybersecurity products and services. Details are on the UVA Vice-President for Research Best Practices webpage.

Our information security webpages, including the standards, procedures, and guidance webpages,  that refer to the use of antivirus software have been updated with the above information on this prohibition.

Several changes were made to the University Data Protection Standard 3.0.

Substantive changes: 

 - Changed language about annual information security awareness training requirement to align with the revisions in IRM-002 Acceptable Use of the University’s Information Technology Resources
    at https://security.virginia.edu/university-data-protection-standards#Faculty.  High Security Virtual Private Network (HSVPN) users are required to complete annually University provided information security awareness training.  All other users of UVA IT resource should complete annually University provided information security awareness training

 - Removed references to Joint VPN, updated to High Security Virtual Private Network (HSVPN) and added  the link to ITS HSVPN webpage.

 - Added Revision History line near the top of the UDPS. 

Non-Substantive changes:

 - Corrected several broken links.

 - Previously had changed all references to "moderately senstive data" to just "sensitive data". The definition of these data stays the same, just the adverb "moderately" is dropped. See the Policy Alert: Moderately Sensitive Data is now called Sensitive Data for details.

Effective April 28, 2020 

The Vendor Security Review Standard was revised to add UVA Wise to the Risk Rating and Sign-off tables.  The roles at UVA Wise that must review and sign-off on a vendor security review at UVA Wise were added to a new column in these tables. 

Questions and concerns should be directed to [email protected] 

Effective March 20, 2020

Non-Substantive change: The term moderately sensitive data has been changed to sensitive data. The definition remains the same.

Data, records, and files that:

• may be withheld from release under the Virginia Freedom of Information Act (FOIA),
• are not public records,
• do not enable identity theft,
• are not protected health information (PHI).

Examples include information concerning the prevention of or response to cyber-attacks, or information that describes a security system used to control access to or use of an automated data processing or telecommunications system, or research records that do not contain Highly Sensitive Data, University ID numbers, i.e., those printed on University ID cards, and/or Family Educational Rights and Privacy Act-protected data not covered under the definition of “Highly Sensitive” data.  This category of data also includes any data or record covered by the exemptions listed in the Commonwealth of Virginia Freedom of Information Act).

Questions and concerns should be directed to [email protected]

Effective February 12, 2020
The External Assessment Review Procedure has been revised based on feedback from a committee of stakeholders.  It is now a standard, named the Vendor Security Review Standard.
While it went from a procedure to a standard, most of the requirements from the procedure remain unchanged.  

---------  Read More  ---------------------

What was changed: 

1. Specify the timeframe around which a SOC 2 assessment or other external assessment is valid: The  vendor’s SOC 2 Type II report must cover a time period within 6-months of the request from UVA.  If the SOC 2 Type II report is not within six months of the date requested, then the vendor must provide a bridge letter.

2. Specify the criteria for a vendor's alternative (e.g.,., not a SOC 2) assessment and alternatives if no external assessment from the vendor is available (https://security.virginia.edu/vendor-security-review-standard#2.2)

3.  Change the Risk Review and sign-off to a table that more clearly delineates who must review and sign-off at each level risk assessment (high, medium, or low) (https://security.virginia.edu/vendor-security-review-standard#3%20Risk).

4. Changes reviewed and approved by the Chief Information Officer (CIO), a change from the procedure which was approved by the Chief Information Security Officer (CISO).

References to the old, superseded, External Assessment Review Procedure, in other policies, standards, and procedures are being updated to the new Vendor Security Review Standard.

Questions and concerns should be directed to [email protected] 

The Electronic Access Requirements standard (aka Electronic Access Agreement) had non-substantive changes to fix broken links, add to the list of Related Links and explicitly reference the University's Acceptable Use of the University’s Information Technology Resources (IRM-002) policy in the standard's Purpose and Background section.

Our webpage on the ITS Guidance for Use of Personal Accounts or Redirection for University Email has been updated to re-direct you to the ITS webpage on the same topic - ITS Guidance for Use of Personal Accounts or Redirection for University Email (KB0012593)  Our webpage listed the same information that was on the ITS webpage, so to reduce confusion and out-of-sync information, we are referring to their webpage. 

You may also want to consult the ITS webpage on Email Forwarding - Outlook Email Forwarding (KB0011264).

The Accounts Provisioning & Deprovisioning Guidance webpage was edited to removed the table that listed Affiliation, Obtain or Activate Accounts and Account Expiration and redirect readers to the ITS webpage that lists this same information - the ITS Accounts & Access webpage.